ERROR_DS_NO_MORE_RIDS (0X00002011) Fix Guide

What Throws This Error

You'll see ERROR_DS_NO_MORE_RIDS (0X00002011) when Active Directory can't hand out a new Relative ID (RID) to a security principal — user, computer, or group. The pool of RIDs on your domain controller (DC) has run dry. This usually happens after years of user creation, or if a DC's RID allocation got corrupted. I've seen it most often after a forced demotion or an unclean shutdown of the RID master FSMO role holder.

Fix 1: The 30-Second Check — Replenish the Pool

Start here. Don't skip it. Open Active Directory Users and Computers on your RID master (the DC that holds this FSMO role). Right-click the domain name, choose Operations Masters, then the RID Pool tab. Click Check. If it says the pool is exhausted or corrupted, you need to request a new one. But first, try the quickest fix: restart the Kerberos Key Distribution Center service (kdc) on the RID master. Why? Because a hung service can block RID requests. After restarting, wait 30 seconds and try creating a new user. If that works, you're done. If not, move to the next fix.

Fix 2: Moderate Fix — Force a New RID Allocation via ntdsutil (5 minutes)

This step forces the DC to request a fresh block of RIDs from the RID master. It does not require a reboot.

1. Log into the DC that's throwing the error (or the RID master if all DCs are affected).
2. Open Command Prompt as Administrator.
3. Type ntdsutil and press Enter.
4. Type rid management and press Enter.
5. Type connections and press Enter.
6. Type connect to server <your-domain-controller-name> (replace with your DC's hostname). Press Enter. You should see Binding to <server>... Done!
7. Type quit and press Enter.
8. Type set new rids and press Enter.
9. Type submit and press Enter. You'll see RID request submitted successfully.
10. Type quit twice to exit ntdsutil.

Now, go back to Active Directory Users and Computers and try creating a user. It should work. If you still get the error, it means the RID master itself is out of RIDs to allocate. That's when you need the advanced fix.

Fix 3: Advanced Fix — Reset the RID Pool on the RID Master (15+ minutes)

This is the nuclear option. You only do this if Fix 2 didn't work. It resets the RID pool for the entire domain. You'll need to seize the RID master role if the current one is unresponsive, but I'll assume it's running.

1. Log into the RID master DC.
2. Open Command Prompt as Administrator.
3. Type net stop ntds and confirm. Wait for the NTDS service to stop.
4. Type net start ntds to restart it.
5. Run dcdiag /test:ridmanager /v. Look for lines like RID pool exhausted or rIDSetReferences missing.
6. If the test shows corruption, open ADSI Edit (install via Server Manager if missing).
7. Connect to the Default naming context. Navigate to CN=System, CN=RID Manager$, CN=System.
8. Right-click CN=RID Manager$, choose Properties. Double-click rIDAvailablePool. The value should be a huge number (like 4611686018427387903). If it's smaller (say under 1 million), it's corrupted.
9. To reset it, you need to edit the rIDAvailablePool attribute. Set it to 4611686018427387903 (the default max). If you can't edit directly, use ntdsutil again:

ntdsutil
rid management
connections
connect to server <your-RID-master>
quit
set new rids
submit
quit
quit

After resetting the pool, run dcdiag /test:ridmanager /v again. It should show RID manager test passed. Now try creating a user. If it still fails, you might need to transfer the RID master role to a different DC and demote the old one. But 9 times out of 10, the reset above does the job.

What If None of These Work?

If you still get error 0x00002011 after the advanced fix, you're dealing with a corrupted database. Here's the last resort: force demote the DC that's the RID master, clean up metadata, then promote it again. Or, better, transfer the RID master role to a healthy DC and leave the broken one as a standard DC. That's the quickest way to get your domain back online.

Also check your event logs at Applications and Services Logs -> Directory Service -> Operational for event ID 16645 or 16646. Those give you the exact RID range that's stuck.